The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software used in Japan is aggregated and IT users can easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2013 4Q

~Vulnerability information stored in JVN iPedia is now over 43,000~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2013 (October 1 to December 31, 2013) is shown in the table below. The total number of vulnerabilities stored in JVN iPedia is now over 43,000 (See Table 1-1, Figure 1-1).

As for the English version, the total of 987 vulnerabilities are available as shown in the lower half of the table.

These days, smartphones have been becoming rapidly widespread, and vendors and individuals are scrambling to develop smartphone applications. As Android increases its share on the smartphone market for the last few years, the number of Android vulnerabilities registered to JVN iPedia is also on the steep rise.

Figure 1-2-1 shows the Android vulnerabilities registered to JVN iPedia, categorized by whether they are OS or application vulnerabilities.
Of the total of 187, 133 are Android application vulnerabilities, which account for 71 percent.

Figure 1-2-2 shows the CVSS(*4)severity of the aforementioned 133 Android application vulnerabilities, divided into 6 categories from Google Play’s 26 categories(*5). Out of 133 vulnerabilities, 79 are in communication applications such as browsers and mailers and social applications for social networking, which account for 59 percent. The users of these applications need to realize if they keep using the old vulnerable versions, sensitive data like message contents, communication history and address book may be stolen.

p class="imageCenter">

Figure 1-2-3 shows the CWE(*6) types of the Android application vulnerabilities. As guessable from the incidents where sensitive data handled by applications are accessed and/or modified,
CWE-264 (Permissions, Privileges and Access Controls) is standing out with 32 vulnerabilities, followed by CWE-200 (Information Exposure) with 9.
This indicates
the types of vulnerabilities that can be used to steal sensitive data have been reported and registered a lot.

p class="imageCenter">

Not limited to Android devices, any devices that store sensitive personal information, such as smartphones, must be protected from vulnerability exploitation just like PCs. If using the old vulnerable versions of applications,
the users should update them immediately.
At the same time, the application developers
should proactively practice secure coding to avoid built-in vulnerabilities and develop safe applications.

~Compared to the ratio among overall vulnerabilities, the severity of ICS vulnerabilities tends to be higher~

The number of vulnerabilities in ICS software used in production plants and such has increased dramatically for the past few years. In 2013, 131 ICS vulnerabilities have been registered. Figure 1-3-1 shows the number and severity of ICS vulnerabilities stored in JVN iPedia. As of the 4th Quarter, the cumulative total since the launch of JVN iPedia is 437.
Out of 131 vulnerabilities registered in 2013, 80 are level lll, which account for more than 60 percent.

p class="imageCenter">

Figure 1-3-2 and 1-3-3 show the severity of vulnerabilities in the ICS software and across all software, respectively. As for the ICS software, 61 percent of the vulnerabilities are
level III (“High”, CVSS Base Score = 7.0-10.0),
37 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 2 percent were level I (“Low”, CVSS Base Score = 0.0-3.9).
It is clear that the number of Level lll vulnerabilities is quite high compared to that of all software.

p class="imageCenter">

Figure 1-3-4 shows the CWE types of ICS vulnerabilities. The number of
CWE-119 (Buffer Errors) vulnerabilities that may pose a serious threat like arbitrary code execution are 122,
which
account for about 30 percent of the total.

p class="imageCenter">

The ICS operators
should check on vulnerability information regularly, and if a vulnerability is found in a product they use, ask its vendor or retailer if there is a solution, like an updated version,
and take necessary action promptly.
If they cannot take action immediately for some reasons, evaluate the system environment, such as network environment in which the vulnerable industrial control system operates and risks it faces, and consider what can be done to reduce the risks and mitigate the threats(*7).

2. Categorization of JVN iPedia Registered Data

2-1. Type of Vulnerabilities Registered

Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 4th quarter of 2013, sorted by their vulnerability type using CWE.

The type of the vulnerability that has been reported most during this quarter is CWE-264 (Permissions, Privileges and Access Controls) with 192 cases, followed by CWE-119 (Buffer Errors) with 182 cases, CWE-20 (Improper Input Validation) with 174 cases, CWE-79 (Cross-Site Scripting) with 169 cases.

Most of them are well-known types of vulnerabilities. Software developers need to
make sure to implement necessary security measures from the planning and design phase of software development.
IPA provides the guidelines that address these vulnerabilities, such as
“Secure Programming Course”(*8)
, and also offers a hands-on vulnerability learning and experiencing tool
“AppGoat(*9)
to promote secure programming.

p class="imageCenter">

2-2. Severity of Vulnerabilities Registered

Figure 2-2 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.

This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are threats high enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update and apply security patches as soon as possible upon their release.

p class="imageCenter">

2-3. Type of Products Reported for Having Vulnerability

Figure 2-3 shows the annual transitions in the types of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are published most and account for 85 percent of the total.

Since about 2008, the vulnerabilities in ICS used in critical infrastructures have started to be added. As of the end of December 2013, the total of 437 vulnerabilities has been registered.

p class="imageCenter">

2-4. Open Source Software

Figure 2-4 shows the annual transitions in the registered vulnerabilities found in open source software (OSS) and non-OSS software based on the date they were first published. In total, 17,228 OSS vulnerabilities and 26,143 non-OSS vulnerabilities have been registered. One of the reasons that the number of non-OSS vulnerabilities registered seems higher than before after 2007 is because all the NVD data released in and after 2007 have been added to JVN iPedia. Overall, 40 percent of them are OSS and 60 percent are non-OSS.

p class="imageCenter">

2-5. Product Vendors

Figure 2-5-1 and 2-5-2 show the breakdown of OSS and non-OSS software developers (vendors) registered in JVN iPedia as of December 31, 2013. The vendors are categorized into either domestic vendors, overseas vendors with Japan office, or overseas vendors without Japan office.

As seen in the figures, the vendors without Japan office account for the most. As for OSS vendors, the overseas vendors without Japan office account for 96.4 percent, and as for non-OSS vendors, it is 91.3 percent. You can see that more than 90 percent of the vulnerability information are about the products developed by overseas vendors without Japan office.

The positive aspects of using OSS software are that it is free and easily available for use. On the other hand, there is a possibility that the OSS vendors do not offer a necessary support to use it safely. If IT users use OSS products,
it is important for them to prepare to have a capability where they can implement necessary security measures, such as applying patches, by themselves.

p class="imageCenter">

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia during the 4th quarter of 2013 (October – December). No. 1 was an Android OS vulnerability. Also, the vulnerabilities in server software used to build websites, such as Apache HTTP Server (No.4, 6, 17) and Apache Struts 2 (No. 9, 11), were accessed a lot.

Table 3-2 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers. The severity of all top 5 vulnerabilities is level lll (High), meaning the vulnerabilities that may cause a service outage in high probability if attacked have attracted attention.

Footnotes

(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.http://jvn.jp/en/

(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.http://www.nist.gov/

(*4)Common Vulnerability Scoring System (CVSS) http://www.ipa.go.jp/security/vuln/CVSS.html (in Japanese)
Based on a CVSS Base Score, it is evaluated in three levels. The higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of part of information or to denial of service.
- Level I: A situation where conditions required to execute an attack are complicated or the severity of a threat falls under the Level II but very unlikely to happen